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Abstract 

Goldreich  and  Oren  (JoC’94)  show  that  only  trivial  languages  have  2-nressage  zero- knowledge 
arguments.  In  this  note  we  consider  weaker,  super-polynomial-time  simulation  (SPS),  notions  of 
zero-knowledge.  We  present  barriers  to  using  black-box  reductions  for  demonstrating  soundness 
of  2-message  protocols  with  efficient  prover  strategies  satisfying  SPS  zero-knowledge.  More  pre¬ 
cisely,  we  show  that  assuming  the  existence  of  poly(T(n))-hard  one-way  functions,  the  following 
holds: 

•  For  sub-exponential  (or  smaller)  T(-),  polynomial-time  black-box  reductions  cannot  be  used 
to  prove  soundness  of  2-message  T(-)-simulatable  arguments  based  on  any  polynomial¬ 
time  intractability  assumption.  This  matches  known  2-message  quasi-polynomial-time 
simulatable  arguments  using  a  quasi-polynomial-time  reduction  (Pass’03),  and  2- message 
exponential-time  simulatable  proofs  using  a  polynomial-time  reduction  (Dwork-Naor’00, 
Pass’03). 

•  poly(T(-))-time  black-box  reductions  cannot  be  used  to  prove  soundness  of  2-nressage 
strong  T(-)-simulatable  (efficient  prover)  arguments  based  on  any  poly(T(-))-time  in¬ 
tractability  assumption;  strong  T(-)-simulatability  means  that  the  output  of  the  simulator 
is  indistinguishable  also  for  poly(T(-))-size  circuits.  This  matches  known  3-nressage  strong 
quasi-polynomial-time  simulatable  proofs  (Blunr’86,  Canetti  et  al’  00). 
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1  Introduction 


The  notion  of  zero-knowledge ,  and  the  simulation-paradigm  used  to  define  it,  is  of  fundamental 
importance  in  modern  cryptography — most  definitions  of  protocol  security  rely  on  it.  In  a  zero- 
knowledge  protocol,  a  prover  P  can  convince  a  verifier  V  of  the  validity  of  some  mathematical 
statement  x  G  L,  while  revealing  “zero  (additional)  knowledge”  to  V.  This  zero-knowledge  property 
is  formalized  by  requiring  that  for  every  potentially  malicious  efficient  verifier  V*,  there  exists  an 
efficient  simulator  S  that,  without  talking  to  P,  is  able  to  “indistinguishably  reconstruct”  the  view 
of  V*  in  a  true  interaction  with  P.  Namely,  the  output  of  S  cannot  be  distinguished  (with  more 
than  negligible  probability)  from  the  true  view  of  V*  by  any  efficient  distinguisher  D. 

Assuming  standard  cryptographic  hardness  assumptions,  3-nressage  zero-knowledge  proofs  with 
constant  soundness  [Blu86],  4- message  zero-knowledge  arguments  (where  the  soundness  is  guaran¬ 
teed  to  hold  only  against  efficient  provers)  with  negligible  soundness  [FS90],  and  5-message  zero- 
knowledge  proofs  with  negligible  soundness  [GK96]  are  known  for  all  languages  in  MV ;  additionally 
these  interactive  proofs/arguments  have  efficient  prover  strategies.  On  the  other  hand,  by  the  re¬ 
sults  of  Goldreich  and  Oren  [G094],  2-message  zero- knowledge  arguments  only  exist  for  languages 
in  BW.  In  the  rest  of  this  note,  we  focus  on  interactive  proofs/arguments  with  negligible  soundness 
error  and  efficient  prover  strategies 

Super-Polynomial-Simulation  (SPS)  Zero-Knowledge.  The  usual  notion  of  zero-knowledge 
requires  the  simulator  to  be  efficient  (i.e.,  it  runs  in  polynomial  time).  However,  the  notion  of 
super-polynomial- simulation  (SPS)  zero-knowledge  [Pas03]  allows  the  simulator  to  run  in  super¬ 
polynomial  time.  More  specifically,  the  notion  of  SPS  zero-knowledge  is  defined  similarly  to  zero- 
knowledge  except  that  the  simulator  is  allowed  to  run  in  super-polynomial  time  T(-);  such  protocols 
are  referred  to  as  T{-)-simulatable.  [Pas03]  also  defined  the  (stronger)  notion  of  strong  SPS  zero- 
knowledge  with  the  additional  requirement  that  any  poly(T(-))-time  distinguisher  cannot  distin¬ 
guish  the  simulated  transcript  from  a  true  transcript  with  better  than  negl(T(-))  advantage;  such 
protocols  are  referred  to  as  strong  T(-)-simulatable. 

It  is  known  that  under  sub- exponential  hardness  assumptions  2-message  quasi-polynomial-time 
(i.e.,  T(n )  =  raPolyi°gn)  sinrulatable  arguments  for  NT  exist,  but  2-nressage  T(-)-simulatable  proofs 
only  exist  for  languages  in  £>P7~XM£(poly(T(-)))  [Pas03].  On  the  other  hand,  for  3-nressage 
protocols,  strong  quasi-polynomial-time  sinrulatable  proofs  for  A fV  exist  [Blu86,  CGGMOO]  (based 
on  sub-exponential  hardness  assumptions). 

This  leaves  open  the  following  questions  regarding  2-message  SPS  zero-knowledge: 

1.  Do  2-message  SPS  zero-knowledge  arguments  for  MV  exist  based  on  standard 
polynomial-time  hardness  assumptions? 

2.  Do  2-message  strong  SPS  zero-knowledge  arguments  for  A fV  exist  (even  under 
sub-exponential  hardness  assumptions)? 

In  this  note,  we  present  barriers  to  using  black-box  reductions  for  providing  affirmative  answers  to 
the  above  two  questions.  In  particular,  we  show  the  following: 

Theorem  1  (Informally  Stated).  Assuming  the  existence  of  poly (T(n)) -hard  one-way  functions, 
the  following  holds: 
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1.  For  sub- exponential  (or  smaller)  T(-),  polynomial-time  black-box  reductions  cannot  be  used 
to  prove  soundness  of  2-message  T(-) -simulatable  (efficient  prover)  arguments  based  on  any 
intractability  assumption  that  can  be  modeled  as  a  security  game  with  a  polynomial-time  chal¬ 
lenger. 

2.  poly (T(-))-time  black-box  reductions  cannot  be  used  to  prove  soundness  of  2-message  strong 
T (•) -simulatable  (efficient  prover)  arguments  based  on  any  intractability  assumption  that  can 
be  modeled  as  a  security  game  with  a  poly (T(-)) -time  challenger. 

The  first  part  of  our  theorem  matches  known  2-message  quasi-polynomial-time  simulatable  argu¬ 
ments  using  a  quasi-polynomial-time  reduction  [Pas03] ,  and  2-message  exponential-time  simulatable 
proofs  using  a  polynomial-time  reduction  [DNOO,  Pas03].  The  second  part  of  our  theorem  matches 
(in  terms  of  the  round-complexity)  the  3-message  strong  quasi-polynomial-time  simulatable  proofs 
of  [Blu86,  CGGMOO]. 

On  the  Fiat-Shamir  Heuristic  (added  on  December  19th,  2012).  We  were  recently  made 
aware  of  two  e-print  reports  [DSJKLA12,  BGW12]  (independent  of  our  work)  demonstrating  barri¬ 
ers  to  provable  security  of  the  Fiat-Shamir  heuristic  when  applied  to  proof  systems.  Let  us  briefly 
point  out  that  a  direct  corollary  of  our  Theorem  1  yields  an  even  stronger  provability  barrier.1 
As  we  mentioned  above,  [CGGMOO]  shows  (assuming  one-way  permutations  with  subexponential 
hardness),  the  existence  of  a  3-message  strong  quasi-polynomial-time  simulatable  proof  (with  neg¬ 
ligible  soundness  error);  additionally,  this  protocol  is  public  coin.  Assuming  the  soundness  of  the 
Fiat-Shamir  heuristic  (when  applied  only  to  proof  systems),  this  3- message  proof  system  can  be 
collapsed  to  a  2-message  strong  quasi-polynomial-time  simulatable  proof  system  (the  “collapsed” 
protocol  is  still  strongly  quasi-polynomial-time  simulatable  since  the  hash-function  used  in  the 
Fiat-Shamir  heuristic  can  just  be  viewed  as  a  particular  malicious  verifier.  Our  Theorem  1  shows 
that  this  2-message  proof  system  can  not  be  proven  sound  through  a  black-box  reduction  to  any 
“standard”  assumption. 

2  Intractability  Assumptions  and  Black-Box  Reductions 

Our  definition  of  an  intractability  assumption  closely  follows  [Pasll].  Following  Naor  [Nao03]  (see 
also  [DOP05,  HH09,  RV10,  GW11]),  we  model  an  intractability  assumption  as  an  interactive  game 
between  a  probabilistic  machine  C — called  the  challenger — and  an  attacker  A.  Both  parties  get 
as  input  ln  where  n  is  the  security  parameter.  For  any  t(n)  G  [0, 1]  and  any  “adversary”  A, 
if  Pr  [(A,  C)(ln)  =  1]  >  t(n)  +  p(n ),  then  we  say  that  A  breaks  C  with  advantage  p(n)  over  the 
“threshold”  t(n).  When  this  happens,  we  might  also  say  that  A  breaks  (C,t(-))  with  advantage 
pin).  Any  pair  (C,  t(-))  intuitively  corresponds  to  the  following  assumption: 

Assumption  (C,t(-)):  For  every  polynomial- time  adversary  A,  there  exists  a  negligible 
function  v(-)  such  that  for  every  n  G  N,  A  breaks  C  with  advantage  at  most  v(n)  over 
the  threshold  t(n). 

1Our  result  rules  out  also  nonuniform  security  reductions,  as  well  as  reductions  that  only  need  to  work  for  deter¬ 
ministic  attackers,  two  techniques  that  are  commonly  used  in  cryptographic  proofs.  In  constrast,  as  far  as  we  can  tell, 
the  results  of  [DSJKLA12,  BGW12]  only  rule  out  uniform  reductions  that  need  to  work  for  randomized  attackers. 
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If  the  challenger  C  of  the  assumption  (C,  i(-))  is  polynomial-time  in  the  security  parameter 
n  and  the  total  length  of  the  messages  it  receives,  then  we  say  that  the  assumption  is  efficient 
challenger',  such  assumptions  are  referred  to  as  falsifiable  assumptions  by  Naor  [Nao03]  and  Gentry 
and  Wichs  [GW11].  More  generally,  we  refer  to  an  assumption  (C,  f(-))  as  having  a  T(-,-)-time 
(resp.  size)  challenger  if  C  can  be  implemented  in  time  (resp.  size)  T(n,£)  on  input  the  security 
parameter  ln,  and  when  receiving  messages  of  total  length  l.  ( C,t( •))  is  an  efficient  challenger 
assumption  if  and  only  if  (C,t(-))  has  a  T(-,  -)-time  (or  size)  challenger  where  T(n,£)  is  polynomial 
in  both  n  and  £.  For  simplicity,  we  here  consider  either  poly(n,  t?)-time  (or  size)  challengers,  or 
T(n,£ )  =  T(n)-time  (or  size)  challengers,  where  the  running-time  of  the  challenger  is  bounded  only 
as  a  function  of  the  security  parameter. 

Note  that  we  can  capture  super-polynomial  hardness  of  an  assumption  by  allowing  for  super¬ 
polynomial-time  reductions  to  the  assumption. 

Black-Box  Reductions.  We  consider  probabilistic  polynomial-time  Turing  reductions — i.e.,  black¬ 
box  reductions.  A  black-box  reduction  refers  to  a  probabilistic  polynomial-time  oracle  algorithm. 
Roughly  speaking,  a  black-box  reduction  for  basing  the  security  of  a  primitive  P  on  the  hardness 
of  an  assumption  (C,  t(-)),  is  a  probabilistic  polynomial-time  oracle  machine  R  such  that  whenever 
the  oracle  O  “breaks”  P  with  respect  to  the  security  parameter  n,  then  R°  “breaks”  ( C,t( •))  with 
respect  to  a  polynomially  related  security  parameter  n!  such  that  n!  can  be  efficiently  computed 
given  n.  We  restrict  ourselves  to  the  case  where  n'  =  n,  since  without  loss  of  generality  we  can 
always  redefine  the  challenger  C  so  that  it  acts  as  if  its  input  was  actually  n'  (since  n'  can  be  effi¬ 
ciently  computed  given  n).  To  formalize  this  notion,  we  thus  restrict  ourselves  to  oracle  machines 
R  that  on  input  ln  always  query  the  oracle  on  inputs  of  the  form  (ln,  •). 

Definition  1.  We  say  that  R  is  a  valid  black-box  reduction  if  R  is  an  oracle  machine  such  that 
R( ln)  only  queries  its  oracle  with  inputs  of  the  form  (1  n,y),  where  y  E  {0, 1}*. 

The  reason  to  restrict  R  to  only  query  its  oracle  on  a  single  “input  length”  n  (which  is  the  case 
also  in  all  known  security  reductions  in  the  literature),  is  that  standard  cryptographic  definitions 
require  ruling  out  the  existence  of  attackers  that  break  some  primitive  even  for  any  infinite  sequence 
of  input  lengths;  as  these  input  lengths  can  be  very  sparse,  a  black-box  reduction  might  only  get 
to  access  the  adversary  over  a  single  “good”  input  length  (and  that  input  length  could  as  well  be 
equal  to  the  length  n'  over  which  they  win  the  challenge).  Therefore,  it  must  successfully  use  the 
adversary  even  if  it  has  access  to  an  attacker  that  only  succeeds  on  a  single  input  length. 

3  Barriers  to  Proving  Soundness  of  2-Message  SPS-ZK 

We  recall  the  definition  of  interactive  proofs/arguments  and  SPS-ZK. 

Definition  2  (Interactive  Proofs  and  Arguments  [GMR89,  BCC88]).  A  pair  of  probabilistic  in¬ 
teractive  algorithms  ( P ,  V)  is  said  to  be  an  interactive  proof  system  for  an  AAR-language  L  with 
witness  relation  Rl  ifV  is  probabilistic  polynomial-time  and  the  following  two  conditions  hold: 

•  Completeness:  There  exists  a  negligible  function  u(-)  such  that  for  every  x  E  L  and  every 
y  E  Rl{x),  it  holds  that 

Pr  [(P(y),  V)(x)  =  1]>1-  n(\x\). 
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•  Soundness:  For  every  (computationally  unbounded)  interactive  algorithm  P* ,  x  L,  and 
y  E  {0, 1}*,  it  holds  that 

Pr  [(P*(y):  V)(x)  =  0]  >  1/2. 

In  case  the  soundness  condition  holds  only  with  respect  to  polynomial-time  provers  P* ,  the  pair 
(P,  V)  is  called  an  interactive  argument  system. 

We  now  give  the  definition  of  T(-)-simulatability. 

Definition  3  (T(-)-Simulatability  [Pas03]).  Let  (P  V)  be  an  interactive  proof/argument  system  for 
an  AfV -language  L  with  witness  relation  Rl  ■  We  say  that  (P.  V)  is  T(-)-simulatable  if  for  every 
probabilistic  polynomial-time  adversary  V* ,  there  exists  a  T(-)-time  simulator  S  such  that  for  every 
probabilistic  polynomial-time  distinguisher  D,  there  exists  a  negligible  function  v{-)  such  that  for 
every  x  E  L,  y  E  Rl(x),  and  z,  z'  E  {0, 1}*,  it  holds  that 

|Pr  [D(x,  z\  (P(y),  V*(z))(x))  =  l]  -  Pr  [D(x,  z',S(x,  z))  =  l]  |  <  i/( |x|). 

We  now  give  the  definition  of  strong  T(-)-simulatability. 

Definition  4  (Strong  T(-)-Simulatability  [Pas03]).  Let  (P,  V)  be  an  interactive  proof/ argument  sys¬ 
tem  for  an  NV -language  L  with  witness  relation  Rl-  We  say  that  (P,  V)  is  strong  T(-)-simulatable 
if  for  every  probabilistic  polynomial-time  adversary  V* ,  there  exists  a  T(-)-time  simulator  S  such 
that  for  every  probabilistic  poly {T(-))-time  distinguisher  D,  there  exists  a  negligible  function  v(-) 
such  that  for  every  x  E  L,  y  E  Rl(x),  and  z,  z'  E  {0, 1}*, 

|Pr  [D(x,  z',  (P(y),  V*(z))(x))  =  1]  -  Pr  [D(x,  z’ ,  S(x,  z))  =  l]  |  <  u(T(\x\)). 

The  notions  of  SPS  zero-knowledge  and  strong  SPS  zero-knowledge  correspond,  respectively, 
to  T(-)-simulatability  and  strong  T(-)-simulatability  for  a  super-polynomial  function  T(-).  It  is 
shown  in  [Pas03]  that  both  plain  and  strong  poly(T(-))-simulatability  is  closed  under  sequential 
composition;  we  will  rely  on  the  proof  of  this  result. 

Barriers  to  2-message  SPS-ZK.  We  aim  to  prove  limitations  of  basing  soundness  for  2-message 
SPS-ZK  on  intractability  assumptions.  Let  us  first  explicitly  define  what  it  means  to  break  sound¬ 
ness. 

Definition  5  (Breaking  Soundness).  We  say  that  A  breaks  soundness  of  (P,  V)  w.r.t.  L  with 
probability  y(-)  if  for  every  n  E  N, 

Pr  [  (x,  z)  4—  ^4(ln)  :  (^4(ln,  x,z),V (x))  =  1  A  x  ^  L  ]  >  y(n). 

Let  us  turn  to  defining  what  it  means  to  base  soundness  on  an  intractability  assumption  (C,  t(-)). 

Definition  6  (Basing  Soundness  on  the  Hardness  of  (C,  t(-))).  We  say  that  R  is  a  black-box  re¬ 
duction  for  basing  soundness  of  (P,  V)  w.r.t.  L  on  the  hardness  of  (C,  t(-))  if  R  is  a  valid  black-box 
reduction  and  there  exists  a  positive  polynomial  p(- ,  •) ,  such  that  for  every  deterministic  (computa¬ 
tionally  unbounded)  adversary  A  that  breaks  soundness  of  (P,  V)  w.r.t.  L  with  probability  y(-),  for 
every  n  E  N,  RA  breaks  ( C,t( •))  with  advantage  p(y(n),l/n)  on  input  ln . 
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Note  that  we  here  require  that  RA  breaks  the  assumption  (C,t(-))  on  the  security  parameter 
n  by  querying  A  on  the  same  security  parameter  n.  As  previously  mentioned,  a  seemingly  more 
general  definition  would  allow  RA  to  break  (C,t(-))  on  a  polynomially-related  security  parameter 
n'  (which  can  be  efficiently  computed  given  n),  but  this  extra  generality  does  not  buy  us  anything 
as  we  can  always  redefine  C  so  that  on  input  n  it  acts  as  if  its  input  was  n' . 

Additionally,  note  that  we  only  consider  deterministic  attackers;  this  only  makes  our  result 
stronger  (and  will  be  useful  to  us,  as  we  shall  see  later).  We  now  state  and  prove  our  results: 

Theorem  2.  Suppose  one-way  functions  secure  against  poly (T(n)) -size  circuits  exist.  Then,  there 
exists  an  MV -language  L  such  that  if  (P,  V)  is  a  2-message  T(-)-simulatable  protocol  for  L,  and  P 
runs  in  polynomial  time  (given  a  witness),  then  for  any  efficient- challenger  assumption  (C,  t(-)), 
if  there  exists  a  probabilistic  polynomial-time  black-box  reduction  R  for  basing  soundness  of  ( P ,  V ) 
w.r.t.  L  on  the  hardness  of  (C,  £(•)),  then  there  exists  a  probabilistic  polynomial-time  machine  B 
and  a  positive  polynomial  p' (•)  such  that  for  sufficiently  n  G  N,  B  breaks  ( C,t( •))  with  advantage 
1  /p'(n)  on  input  ln.  Furthermore,  if  (P,V)  is  strong  T(-)-simulatable,  then  the  above  holds  even 
if  we  allow  C  and  R  to  run  in  poly(T(n))  time,  where  in  this  case  our  algorithm  B  runs  in  time 
poly (T(n))  as  well. 

Before  proving  Theorem  2,  let  us  remark  that  since  our  lower  bound  rules  out  reductions  that 
only  need  to  work  for  deterministic  attackers,  by  using  techniques  from  [CLMP13]  one  can  directly 
extend  the  proof  of  Theorem  2  to  handle  non-uniform  reductions  as  well.  A  non-uniform  reduction 
R  also  gets  a  function  z(A)  of  the  adversary’s  (perhaps  exponential-sized)  description  as  advice 
before  interacting  with  A;  we  refer  the  reader  to  [CLMP13]  for  further  details. 

Proof  of  Theorem  2.  We  first  prove  the  theorem  for  the  “plain  simulatability”  case;  we  next  extend 
this  proof  to  cover  the  “strong  simulatability”  case  as  well. 

By  the  result  of  [HILL99],  the  existence  of  one-way  functions  secure  against  poly(T(n))-size 
circuits  implies  the  existence  of  PRGs  secure  against  poly(T(n))-size  circuits.2  Let  g  :  {0, 1}*  — > 
{0,1}*  be  a  length-doubling  PRG  secure  against  poly(T(n))-size  circuits.  Consider  the  language 
L  =  {g(s)  |  s  G  {0, 1}*}  with  witness  relation  Rl(x)  =  {s6  {0, 1}*  |  g(s)  =  x}. 

Suppose  (P,  V)  is  a  2-message  T(-)-simulatable  protocol  for  L ,  and  P  runs  in  polynomial  time 
given  any  witness  w  €  Rl(x).  Suppose  further  that  there  exists  a  polynomial-time  black-box 
reduction  R  and  a  polynomial  p(-,  •)  such  that  RA  breaks  the  assumption  (C,t(-))  with  advantage 
p(fi(n) ,  1/n)  on  input  ln,  whenever  A  is  a  deterministic  (computationally  unbounded)  adversary 
that  breaks  soundness  of  (P,  V)  with  probability  /r(-).  Following  the  “meta-reduction”  paradigm 
by  Boneh  and  Venkatesan  [BV98]  (which  is  also  used  in  [Pasll,  GW11,  Pas  13]),  we  will  use  R 
to  directly  break  (C,t(-))  with  non-negligible  probability.  More  formally,  we  exhibit  a  particular 
(inefficient)  attacker  A  that  breaks  soundness  of  (P,  V)  with  overwhelming  probability,  and  we  next 
show  how  to  “emulate”  this  attacker  for  R  efficiently  without  disturbing  P’s  interaction  with  C . 

We  first  describe  our  attacker  A ,  and  next  explain  how  to  emulate  it  efficiently.  More  pre¬ 
cisely  (as  in  [Pasll]),  we  define  a  class  of  deterministic  attackers  A*,  parametrized  by  a  function 
/:  {0,1}*  — >  {0,1}°°.  Given  that  A?  is  deterministic,  we  may  assume  without  loss  of  generality 
that  P  never  asks  its  oracle  the  same  query  twice.  Let  S  =  S(x,z)  be  the  T(-)-time  simulator  for 
the  verifier  V*{x,z)  =  z ,  i.e. ,  V*  sends  z  to  the  prover  P  to  get  a  response  a,  and  then  simply 

2Even  though  [HILL99]  proved  their  result  for  T(n)  =  poly(n),  since  it  is  black-box,  it  immediately  “scales  up” 
to  handle  larger  T(-)  as  well. 
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outputs  a.  On  input  ln,  A*  samples  x  <—  {0,  l}n  using  /( ln)  as  randomness,  and  then  outputs  x. 
Next,  on  input  a  “first  message”  q,  A^(ln)  computes  a  =  S(x,q)  using  f(ln,q)  as  randomness,  and 
responds  with  the  message  a. 

Let  RO  :  {0, 1}*  — >  {0, 1}°°  be  a  uniformly  distributed  random  oracle.  Our  first  claim  is 
that  ARO  breaks  soundness  of  (P,  V)  with  overwhelming  probability.  First  note  that  except  with 
negligible  probability  (over  the  choice  of  RO),  ARO  selects  a  false  statement  x  (f  L.  Now,  consider 
an  alternative  attacker  A^  that  selects  s  6  {0,  l}n/2  (again  using  /( ln)  as  the  randomness),  lets 
x  =  g{s),  and  then  proceeds  just  as  A  *  does.  It  follows  from  the  indistinguishability  property  of  the 
simulator  S  and  the  completeness  of  (P,  V)  that  with  overwhelming  probability  A1*0  convinces  the 
honest  verifier.  Because  of  this  fact  and  the  poly (T (n) )-indistinguishability  of  g(Un/2)  and  Un,  it 
holds  that  ARO  convinces  the  honest  verifier  with  overwhelming  probability.  By  the  union  bound, 
we  thus  have  that  except  with  negligible  probability,  ARO  selects  a  false  statement  and  yet  convinces 
the  honest  verifier;  that  is,  ARO  breaks  soundness  of  (P,  V)  with  probability  p(-)  =  1  —  z/(-),  where 
i'(-)  is  a  negligible  function. 

By  an  averaging  argument,  with  probability  at  least  1  — lCffi(n)  over  the  choice  of  a  random  oracle 
/  •(—  RO,  A *  breaks  soundness  of  (P,  V)  with  probability  at  least  0.9,  and  for  each  such  “good” 
choice  of  /  we  have  that  RAf  ( ln)  breaks  (C,t(-))  with  non-negligible  advantage  p(0.9, 1/n);  let 
a(n)  =  p(0.9, 1/n).  By  the  union  bound,  it  follows  that  i?y4R°(lri)  breaks  (C,t(-))  with  advantage 
ot{n)/ 2  for  sufficiently  large  n. 

We  now  construct  a  probabilistic  polynomial-time  attacker  A  that  emulates  Aro.  A(ln)  uni¬ 
formly  samples  s  G  {0,  l}n/2  and  outputs  x  =  g(s)',  next,  on  input  a  first  message  q,  A  runs 
the  honest  prover  strategy  P(x,  s )  on  input  the  message  q  and  outputs  whatever  P  outputs.  We 
now  show  the  following  claim,  which  concludes  the  proof  of  the  first  part  of  Theorem  2  by  letting 
B  =  R1. 

Claim  1.  For  sufficiently  large  n,  RA  breaks  (C,t(-))  with  advantage  at  least  ot(n)/ 6  on  common 
input  ln. 

Proof.  From  above,  we  have  that  ii"4RO(lri)  breaks  (C,t(-))  with  advantage  ot(n)/2  for  sufficiently 
large  n.  Recall  the  alternative  attacker  A  defined  above.  The  only  difference  between  Rro  and 
Rro  is  that  the  former  samples  a  statement  from  Un  while  the  latter  samples  a  statement  from 
g{Un/ 2)-  Since  R(ln)  only  queries  its  oracle  on  the  security  parameter  n,  by  the  poly(T(n))- 
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indistinguishability  of  Un  and  g(Un/ 2),  it  follows  that  RA  (1”)  breaks  ( C,t( •))  with  advantage 
a(n)/3  for  sufficiently  large  n. 

Now,  we  note  that  (since  R  never  asks  the  same  query  twice)  the  only  difference  between 
and  A  is  that  the  former  uses  simulated  proofs  (of  true  statements)  whereas  the  latter  uses  honestly 
generated  proofs.  Thus,  intuitively,  the  claim  should  directly  follow  by  the  indistinguishability 
property  of  the  simulation  (and  the  fact  that  C  and  R  are  polynomial-size).  There  is  a  small  catch: 
note  that  R  can  query  its  oracle  on  several  first  messages  q  which  is  like  the  execution  of  a  verifier 
V*  in  a  sequential  composition  of  (P,V)  (on  the  same  fixed  statement  x).  Indeed,  by  the  same 
argument  behind  the  sequential  composition  theorem  for  SPS  simulation  [Pas03],  we  will  show  that 
indistinguishability  still  holds.  More  precisely,  let  m(n )  be  an  upper-bound  on  the  running-time  of 
R  (in  this  case,  m(n)  =  poly(n)),  and  define  a  sequence  of  m(n)  hybrids  Ho, . . . ,  Rm(n)  as  follows. 
The  hybrid  Hi  is  the  output  of  C  when  interacting  with  R^'1  where  the  first  i  oracle  responses 
(apart  from  the  returned  x)  are  simulated  (i.e. ,  answered  by  A1*-0),  and  the  remaining  queries  are 
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answered  by  running  the  honest  prover  strategy  (i.e.,  answered  by  A).  Note  that  Ho  is  the  output 
of  C  after  interacting  with  RA ,  and  Hmtn )  is  the  output  of  C  after  interacting  with  RA 

Indistinguishability  of  any  two  consecutive  hybrids  H\  and  Hi+ 1  follows  by  the  indistinguisha- 
bility  of  the  simulation  and  the  fact  that  oracle  responses  for  all  j  >  i  +  1  can  be  generated  in 
polynomial-time  (given  the  witness  to  the  selected  statement).  More  formally,  if  the  outputs  of 
hybrids  H,L  and  Hi+\  are  6m(n)  -distinguishable,  we  can  always  fix  the  first  i  +  1  queries  and  the 
first  i  oracle  responses  so  that  the  same  (n)  -distinguishability  holds,  and  then  use  this  fact  to 
distinguish  between  an  honest  proof  and  a  simulated  proof  (i.e.,  the  answers  to  the  (i  +  l)^  query) 
with  advantage  om(h\  (by  answering  the  subsequent  oracle  queries  efficiently  using  a  hard-wired 
witness) ,  which  contradicts  the  (non-uniform)  indistinguishability  of  the  simulation  from  the  honest 
proof.  Thus,  the  statistical  distance  between  the  output  bit  of  the  challenger  C  in  hybrids  Hq  and 
Hm(n)  is  at  most  for  sufficiently  large  n.  Since  RA  °(ln)  breaks  ( C,t{ •))  with  advantage 
for  sufficiently  large  n,  the  claim  follows.  □ 

Second  part  of  Theorem  2.  We  finally  note  that  if  (P,V)  is  strong  T(-)-simulatable,  then  the 
very  same  argument  works  even  if  C  and  R  run  in  time  poly(T(n))  (as  opposed  to  poly(n)).  The 
only  difference  is  that  now  we  shall  use  m{n)  =  poly(T(n))  hybrids  in  the  proof  of  Claim  1  (because 
the  reduction  R  can  call  its  oracle  poly (T(n))  times).  Now,  for  every  pair  of  consecutive  hybrids  Hi 
and  Hl+\  the  distinguishability  gap  that  could  be  obtained  by  any  poly(T(n))-time  distinguisher 
is  at  most  negligible  in  T(n)  due  to  the  strong  T(-)-simulatable  property.  Therefore,  the  statistical 
distance  between  the  output  of  the  challenger  in  hybrids  Ho  and  Hm^  is  at  most  negligible  in 
T(n)  which  is  indeed  at  most  negl(n).  Therefore  the  statement  of  Claim  1  still  holds  the  same  as 
before.  □ 
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A  Related  Separation  Results 

There  is  a  large  literature  on  separation  results  between  cryptographic  primitives/assumptions.  We 
distinguish  between  two  types  of  results: 

Separations  for  fully  black-box  constructions.  The  seminal  work  of  Impagliazzo  and  Rudich 
[IR88]  provides  a  framework  for  proving  black-box  separations  between  cryptographic  primitives. 
We  highlight  that  this  framework  refutes  the  possibility  of  so-called  “fully-black-box  constructions” 
(see  [RTV04]  for  a  taxonomy  of  various  black-box  separations);  that  is,  this  framework  considers 
both  black-box  constructions  (i.e. ,  the  higher-level  primitive  only  uses  the  underlying  primitive  as 
a  black-box),  and  black-box  proofs  of  security  (i.e.,  the  security  reduction  only  uses  the  adversary 
against  the  constructed  scheme  as  a  black-box).  Most  black-box  separation  results  fall  into  this 
framework  (e.g.,  [Sim98,  GKM+00,  BMG07,  HHRS07]  to  name  a  few).  As  it  was  shown  by  [RTV04], 
some  of  these  separations  extend  to  the  setting  where  the  security  reduction  is  “semi”  or  even 
“weakly”  black-box,  but  we  emphasize  that  the  construction  is  always  black-box. 
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Separations  for  black-box  security  reductions.  In  recent  years,  new  types  of  separations 
between  cryptographic  primitives/assumptions  have  emerged.  These  separations  apply  even  to  non- 
black-box  constructions  as  long  as  the  proof  of  security  is  black-box:  Pass  [PasOG]  and  Pass,  Tseng 
and  Venkitasubramaniam  [PTV11]  demonstrate  that  under  certain  (new)  complexity  theoretic 
assumptions,  various  cryptographic  tasks  cannot  be  based  on  one-way  functions  using  a  black-box 
security  reduction,  even  if  the  protocol  uses  the  one-way  function  in  a  non-black-box  way.  (These 
results  follow  techniques  used  by  Brassard  [Bra83]  and  Akavia  et  al  [AGGM06]  to  demonstrate 
limitations  of  “NP-hard  cryptography”.)3 

Recently,  two  independent  works  demonstrate  similar  types  of  separation  results,  but  this  time 
ruling  out  security  reductions  to  a  general  set  of  intractability  assumptions:  Pass  [Pasll]  demon¬ 
strates  impossibility  of  using  black-box  reductions  to  prove  the  security  of  several  primitives  (e.g., 
Schnorr’s  identification  scheme,  commitment  schemes  secure  under  weak  notions  of  selective  open¬ 
ing,  Chaum  blind  signatures,  etc.)  based  on  any  “bounded-round”  intractability  assumption  (where 
the  challenger  uses  an  a-priori  bounded  number  of  messages,  but  is  otherwise  unbounded).  Gentry 
and  Wichs  [GW11]  (assuming  the  existence  of  strong  pseudorandom  generators)  demonstrate  im¬ 
possibility  of  using  black-box  security  reductions  to  prove  soundness  of  “succinct  non-interactive 
arguments”  based  on  any  falsifiable  assumption  (where  the  challenger  is  computationally  bounded) . 
An  even  more  recent  work  by  Pass  [Pasl3],  developed  in  parallel  with  the  current  note,  rules  out 
constructions  of  statistical  NIZK  with  adaptive  soundness  and  non-interactive  non-malleable  com¬ 
mitments,  based  on  falsifiable  assumptions. 

Our  results  in  this  work  fall  into  this  second  category  of  results  and  rule  out  black-box  security 
reductions  for  proving  the  soundness  of  various  forms  of  SPS  zero-knowledge  protocols  even  if  the 
construction  is  arbitrarily  non-black-box. 


3  See  also  the  results  of  Feigenbaum  and  Fortnow  [FF93]  and  the  result  of  Bogdanov  and  Trevisan  [BT03]  that 
demonstrate  limitations  of  NP-hard  cryptography  for  restricted  types  of  reductions. 
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